You Can't Jot Down Fingerprints: Windows Beyond Passwords

Welcome back to our look at increasing the strength of the authentication systems on your
Windows Server 2003 network. In Parts One and Two, we looked at the default authentication
mechanism – passwords – and at some of the policies you can put in place to provide more
protection for your network. In this article we'll look at what your options are if you
want to take the security of your network one step further.

The Problem with Passwords
As we have already established in this series of articles, passwords can
provide a sufficient level of security for most networks, particularly if they are backed
up by strict policies that govern their use. The problem is, though, that no matter how
strong a password is configured, and no matter how well the policies control those passwords, they
are still simply a piece of knowledge. There is nothing to stop a user giving their
password to another user, nor is there an easy way for a user to determine that another
person has managed to discover their password. These two things alone make passwords
ineffective in ensuring the highest levels of security.

There is also one other thing that makes passwords susceptible to misuse. When you use
a password based authentication system, the user must only provide two pieces of evidence
in order to access the network – a username and a password. Given that usernames generally
follow a structured naming standard, you can consider them essentially public knowledge. A
user called Phil Jones with the user ID JonesP will not need a masters degree to figure
out that the user ID for Tracy Jenkins is most likely JenkinsT. So, in reality, a username
and password authentication system represent what is termed as single factor
authentication. In other words, only one piece of private information is required to
access the network.

In order to make the authentication process more robust, we need to look at systems
that require users to provide more than one piece of authentication information. Such
systems are referred to as multi-factor authentication.

The most common form of multi-factor authentication system implemented on Windows
Server 2003-based networks is smartcards. There are two main reasons for their growing
popularity. First is that smartcards have become an increasingly affordable solution over
recent years, and second is that support for smartcard authentication is tightly
integrated into Windows Server 2003 and Active Directory.

Smartcards represent an excellent form of multi-factor authentication because they
require that the user provide something they have (the smartcard) along with something
they know (the PIN). Although the smartcard can be lost, without the PIN it is useless.
And although another person could discover the PIN, without the smartcard it is useless.
Additionally, you can't 'guess' a smartcard, and even though, technically, you could
produce a counterfeit smartcard, the process of doing so is beyond the realms of even the
most skilled hacker.

The commonly held misconception that smartcards are a relatively new authentication
system is not true. Although modern smartcard systems typically use chips embedded into
the card rather than the more traditional metallic strip method associated with credit
cards, smartcard based authentication systems have been around for at least twenty years.
In the past, though, they were more commonly associated with high security minicomputer or
mainframe applications like those used in banking institutions than with general access to
PC based LANs.

Some of today's smartcard solutions don't actually even use smartcards at all. Instead,
USB pluggable modules that don't need a separate reader are pointing a new direction for
smartcard technology that will see people carrying the physical equivalent of a USB memory
stick around and using that to log on to the network.

Today, the cost of smartcards and their readers has fallen to the point where they can
be considered by organizations of all sizes. In fact, many larger organizations already
use smartcard technology to protect their PC-based server networks.

Smartcards and Windows Server 2003
Implementing a smartcard solution on Windows Server 2003 is relatively straightforward.
The first consideration is that you need to buy smartcard readers, and the accompanying
cards, or some other 'smartcard type' device. Microsoft publishes a list of the smartcard
hardware that is approved for Windows Server 2003 here. A list of the
smartcard types supported by Windows Server 2003 can be found here.

Although the prices of readers and cards vary, you can expect to pay somewhere in the
region of $20-30 for each reader, and around $10 for a card. Of course if you are buying
large quantities of either then you will likely be able to bring the overall price down,
but these figures are a good approximation.

Installation of the smartcard hardware and software is generally straightforward - each
computer that will support smartcard login will need a reader, but they normally connect
to either a serial or USB port so installation is straightforward. You will also need to
have at least one 'writing' station where digital certificates and personal identification
numbers (PIN) will be downloaded to the card.

Digital certificates are an important consideration, because they are the mechanism by
which smartcards provide their authentication information. In order to produce digital
certificates, you'll need to implement a Public Key Infrastructure (PKI) on your network
using Windows Certificate Services. Certificate Services is included with Windows 2000 and
Windows Server 2003, and is relatively easy to configure unless you want to create complex
policies to manage the certificates. You can find detailed information on PKI and
Certificate Services here
.

Once you have programmed the smartcards and provided them to your users, each time the
user logs on they will need to insert the smartcard into the reader and provide the PIN
number. No smartcard or no PIN - no access to the network.

If you have a network with users of differing security levels, you can choose to require some
users to have smartcards to log on to the system, while others don't. This determination is
made in Active Directory on the Properties page of the user object. You can see an example
of this screen in Figure 1.

Figure 1.
(Click for a larger image)

Of course configuring the user account in this way means that a smartcard-enabled
account will not be able to log on to the network from any system that doesn't have a
smartcard reader. You might want to keep this in mind when planning for workstation
failures or other such problems.

Overall, smartcards represent the ideal choice for organizations that want to get into
multi-factor authentication without spending a fortune. Economies of scale will mean that
as more companies install smartcard systems, the price of readers and smartcard media may
come down, but don't expect to be making vast savings. A healthy competitive market
between the existing smartcard vendors has already put the systems at a reasonable price
point. You might save a few bucks by waiting for a couple of years, but the reality is
that if you can justify the extra security offered by smartcards now, you can also
probably justify spending the money.

Beyond Smartcards
As we have already discussed, smartcards offer a multi-factor
authentication system that requires a user to provide something they have, along with
something they know. But there is still one more even better way of verifying a users
identity – proof of person, referred to as biometrics.

Proof of person authentication systems use some kind of biological facet to verify a
users identity. By far the most common method of biometric authentication is fingerprints,
but others like iris recognition, facial recognition and speech verification are
available.

While modern biometric authentication systems are very reliable, the hardware used for
recognition is relatively expensive. Additionally, there is the added administrative
overhead of programming the system in the first place with the biometric information from
each user.

Although many security conscious organizations have been using biometrics for physical
access purposes for many years, it has yet to make a real break through into LAN
authentication. However, recent developments would suggest that biometrics is preparing to
enter the mainstream. A number of consumer oriented fingerprint readers are already
available at a reasonable price point ($40-$50), and even though these devices are pitched
at home users rather than network systems, as we become more accepting of biometrics as an
authentication system, it's highly likely that we will see LAN authentication deployments.
There are a number of biometric authentication devices approved for use with Windows
Server 2003 on the Windows Server 2003 Server
Catalog, but they are more expensive than their consumer-oriented brethren.

Like any security implementation, if the losses that you might suffer as a result of an
intruder accessing your system outweigh the cost of implementing the security, then you
may have a case for biometrics. But, given the complexity of implementation and the
associated costs, it's likely that large-scale biometric network authentication systems
will remain the domain of government and ultra high security private organizations for
some time to come.

Editor's Note: This is Drew's last column with Enterprise Networking Planet as he leaves
us to pursue another opportunity. Drew's been a valuable part of the ENP bullpen for
several years, and we'll miss him. Best of luck, Drew!